Facebook Unmasks Reputed Koobface Gang Members

The mask protecting the infamous Koobface gang appears to have been yanked down by a mix of Facebook investigators and security researchers.

According to the New York Times, those tracking the worm have identified the following five people as being part of the Koobface crew, which has adopted the name “Ali Baba & 4”: Anton Korotchenko, who uses the online alias “KrotReal”; Stanislav Avdeyko, known as “leDed”; Svyatoslav E. Polichuck, who goes by the names “PsViat” and “PsycoMan”; Roman P. Koturbach, who uses the moniker “PoMuc”; and Alexander Koltysehv, who goes by the nickname “Floppy.”

Members of the gang are believed to be hiding in plain sight in St. Petersburg, Russia. Efforts by the Times to contact the five were unsuccessful.

Graham Cluley, senior technology consultant at Sophos, blogged that the company’s own investigation of the crew uncovered the same five names. He cautioned however that the people named have not yet been charged, and the evidence only links individual names to ones being used by the Koobface gang.

The Koobface worm has been the source of much research and speculation since it was first detected back in 2008. The worm, which got its name from an anagram of Facebook, is known for targeting a variety of social networks including MySpace, hi5, and of course, Facebook.

The worm is known for hitting users with pay-per-install malware as well as hijacking search queries to display advertisements. A report from the Information Warfare Monitor initiative in 2010 showed that the crew behind the malware made more than $2 million between June 2009 and June 2010 using pay-per-click and pay-per-install affiliate programs and compromising computers with rogue antivirus.

Just recently, researchers at Trend Micro, the Koobface crew designed their own traffic direction system (TDS) to aid in their operations and possibly offer as a service to others. The gang’s TDS handles all the traffic referenced to their affiliate sites, which combined with new binary components increase the amount of traffic headed to their TDS and generates a bigger profit.

Facebook did not respond to a request for comment by SecurityWeek on the situation. However, Cluley blogged that Sophos has shared its findings with authorities, and the Times reported Facebook has done the same. According to the Times, Facebook officials believe naming names can make it harder for cyber-crews to operate.

“We’ve had a picture of one of the guys in a scuba mask on our wall since 2008,” Ryan McGeehan, manager of investigations and incident response at Facebook, told the Times.